A team of four security researchers, using the group name TrainHack, presented their work in a talk dubbed Reverse Engineering a Mass Transit Ticketing System at the Ruxcon security conference in Melbourne today.

It cost only a few hundred dollars to buy a card reader and equipment to crack the cards.

They chastised the use of weak custom encryption but in line with disclosure agreements did not name the type of cryptography used or identify the affected organisation.

But they said the transport organisation faced such an onerous task in fixing the massive distributed transport system – which spread across multiple modes of travel including trains and buses – it may withold a fix and wait for a scheduled upgrade of the system.

“It was independent research, done through curiosity,” Johnston said.

"The custom cryptography was made before I was born".

The transport organisation did not reveal the cost of repairing the flaws.

After about a week's worth of research, drawn out over months, the students sent their findings including a string of ticketing data extracted from the cards to the transport organisation as part of responsible disclosure.

About two months ago, they met the organisation's chief information officer and resident subject matter experts to discuss the flaws.

Their research was made using purchased tickets rather than the public transport hardware to avoid breaching computer crime laws.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.